Data Protection Policy
Introduction
In order to provide music tuition, I need to gather, store and use certain forms of information about individuals. These can include students, parents or carers of students, schools and other people. This policy explains how this data is collected, stored and used in order to comply with the General Data Protection Regulation (GDPR).
Why is this policy important?
This policy ensures that I:
Who and what does this policy apply to?
This applies to Philip Anderson (the Teacher) & Anne Anderson (Finance)
It applies to all data that I hold relating to individuals, including:
Roles and responsibilites
Philip & Anne Anderson have a responsibility to ensure that they adhere to this policy.
Data controller
The Data Controller is Philip Anderson. He is responsible for why data is collected and how it will be used. Any questions relating to the collection or use of data should be directed to the Data Controller.
In order to provide music tuition, I need to gather, store and use certain forms of information about individuals. These can include students, parents or carers of students, schools and other people. This policy explains how this data is collected, stored and used in order to comply with the General Data Protection Regulation (GDPR).
Why is this policy important?
This policy ensures that I:
- Protect the rights of students
- Comply with data protection law and follow good practice
- Protect from the risks of a data breach
Who and what does this policy apply to?
This applies to Philip Anderson (the Teacher) & Anne Anderson (Finance)
It applies to all data that I hold relating to individuals, including:
- Names
- Dates of birth
- Email addresses
- Postal addresses
- Phone numbers
- Medical information
- Any other personal information held (e.g. financial)
Roles and responsibilites
Philip & Anne Anderson have a responsibility to ensure that they adhere to this policy.
Data controller
The Data Controller is Philip Anderson. He is responsible for why data is collected and how it will be used. Any questions relating to the collection or use of data should be directed to the Data Controller.
1. I fairly and lawfully process personal data
I will only collect data where lawful and where it is necessary for the legitimate purposes of my business.
A student's name, date of birth, medical conditions and address, telephone numbers and email address (as well as that of a parent or carer if the participant is under the age of 18 years) will be collected when they first sign up for lessons and will be used to contact the student (or their parent or carer) regarding lessons.
2. I only collect and use personal data for specified and lawful purposes
When collecting data, I will always explain to the subject why the data is required and what it will be used for.
I will never use data for any purpose other than that stated or that can be considered reasonably to be related to it. For example, I will never pass on personal data to 3rd parties without the explicit consent of the subject.
3. I ensure any data collected is relevant and not excessive
I will not collect or store more data that the minimum information required for its intended purpose.
For example, we need to collect email addresses from students, parents or carers in order to be able to contact them with invoices, but data on their marital status or sexuality will not be collected, since it is unnecessary and excessive for the purposes of teaching.
4. I ensure data is accurate and up-to-date
I will ask individuals to check and update their data on an annual basis.
Any individual will be able to update their data at any point by contacting the Data Controller by emailing me or via the Contact page
5. I ensure data is not kept longer than necessary
I will keep data on students for no longer than 6 months after our involvement with the students has stopped, unless there is a legal requirement to keep records.
6. I process data in accordance with individuals’ rights
The following requests can be made in writing to the Data Controller by emailing me or via the Contact page:
7. I keep personal data secure
I will ensure that data held by me is kept secure.
8. Transfer to countries outside the EEA
I will not transfer data to countries outside the European Economic Area (EEA), unless the country has adequate protection for the individual (e.g. USA).
I will only collect data where lawful and where it is necessary for the legitimate purposes of my business.
A student's name, date of birth, medical conditions and address, telephone numbers and email address (as well as that of a parent or carer if the participant is under the age of 18 years) will be collected when they first sign up for lessons and will be used to contact the student (or their parent or carer) regarding lessons.
2. I only collect and use personal data for specified and lawful purposes
When collecting data, I will always explain to the subject why the data is required and what it will be used for.
I will never use data for any purpose other than that stated or that can be considered reasonably to be related to it. For example, I will never pass on personal data to 3rd parties without the explicit consent of the subject.
3. I ensure any data collected is relevant and not excessive
I will not collect or store more data that the minimum information required for its intended purpose.
For example, we need to collect email addresses from students, parents or carers in order to be able to contact them with invoices, but data on their marital status or sexuality will not be collected, since it is unnecessary and excessive for the purposes of teaching.
4. I ensure data is accurate and up-to-date
I will ask individuals to check and update their data on an annual basis.
Any individual will be able to update their data at any point by contacting the Data Controller by emailing me or via the Contact page
5. I ensure data is not kept longer than necessary
I will keep data on students for no longer than 6 months after our involvement with the students has stopped, unless there is a legal requirement to keep records.
6. I process data in accordance with individuals’ rights
The following requests can be made in writing to the Data Controller by emailing me or via the Contact page:
- Individuals can request to see any data stored about them (a Subject Access Request). Any such request will be actioned within 30 days of the request being made.
- Individuals can request that any inaccurate data held about them is updated. Any such request will be actioned within 14 days of the request being made.
7. I keep personal data secure
I will ensure that data held by me is kept secure.
- Electronically-held data will be held within a password-protected and secure environment.
- Physically-held data (e.g. personal details forms) will be stored in a locked filing cabinet.
- Access to data will only be given to Philip Anderson (the Teacher) and Anne Anderson (Finance).
8. Transfer to countries outside the EEA
I will not transfer data to countries outside the European Economic Area (EEA), unless the country has adequate protection for the individual (e.g. USA).
Cookies
A cookie is a small text file that is downloaded onto ‘terminal equipment’ (e.g. a computer or smartphone) when the user accesses a website. It allows the website to recognise that user’s device and store some information about the user’s preferences or past actions.
I use cookies on my website www.dursleybrass.co.uk in order to monitor and record activity. This allows me to improve users’ experience of the website by, for example, allowing for a ‘logged in’ state, and by giving me useful insight into how users as a whole are engaging with the website.
A pop-up box on www.dursleybrass.co.uk will activate each new time a user visits the website. This will allow them to click to consent (or not) to continuing with cookies enabled, or to ignore the message and continue browsing (i.e. give their implied consent).
A cookie is a small text file that is downloaded onto ‘terminal equipment’ (e.g. a computer or smartphone) when the user accesses a website. It allows the website to recognise that user’s device and store some information about the user’s preferences or past actions.
I use cookies on my website www.dursleybrass.co.uk in order to monitor and record activity. This allows me to improve users’ experience of the website by, for example, allowing for a ‘logged in’ state, and by giving me useful insight into how users as a whole are engaging with the website.
A pop-up box on www.dursleybrass.co.uk will activate each new time a user visits the website. This will allow them to click to consent (or not) to continuing with cookies enabled, or to ignore the message and continue browsing (i.e. give their implied consent).